Newly disclosed Spectre variant 4 brings more side channel concerns

Just when it looked like the technology industry had finally started to get a handle on the Meltdown and Spectre vulnerabilities, a new Spectre variant been disclosed.

Microsoft and Google both disclosed Monday the new vulnerability, dubbed “variant 4,” is similar to the original Meltdown and Spectre vulnerabilities in that it involves speculative execution side channels for systems running Intel, AMD and ARM processors. However, Spectre variant 4 is categorized as a “moderate”-severity flaw, whereas the original vulnerabilities were classified as critical. The new variant, which involves a speculative store bypass, could allow threat actors to read privileged data across trust boundaries.

Spectre variant 4 was discovered by Jann Horn, a security researcher at Google’s Project Zerowho was part of the Meltdown and Spectre discovery team, and independently discovered by Ken Johnson of the Microsoft Security Response Center. According to Google’s bug tracker, Horn found the issue, CVE-2018-3639, in February just a few weeks after the original vulnerabilities were disclosed. Variant 4 affects some Intel, AMD and ARM processors.

Microsoft’s security advisory warned that vulnerable code in both operating systems and applications could be exploited by threat actors. “In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639,” the advisory states. “However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.”

Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, wrote in a security advisory Monday that the chip giant hasn’t seen any reports of the Spectre 4 variant being exploited in the wild.

Culbertson said mitigations deployed for Spectre variant 1, which were rolled out in January, are applicable for mitigating variant 4. However, she said, Intel and its industry partners worked on a full, dedicated mitigation for the new Spectre variant as well. “We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” she wrote.

However, the forthcoming mitigate will be set to off-by-default, Culbertson wrote, adding that most software partners will have the mitigation off by default as well. If enabled, Intel said the mitigation for Spectre variant 4 could lower system performance by 2% to 8%, according to SYSmark and Standard Performance Evaluation Corporation (SPEC) benchmark scoring.

The new Spectre variant disclosure follows months of reported performance degradation, troubled mitigation efforts and problematic patches for the original Meltdown and Spectre vulnerabilities. Last month, Intel announced that many new processors will be shipped with Spectre mitigations built into the microcode, while hundreds of old chip models will not receive such microcode updates.